At least one step of the analysis has failed, we have been notified. Don't worry, the devil is in the details.
Something seems to be broken? Contact us!
Malicious
17
/63
Threat
com.mobilesoft.security.password
All Passwords
Analyzed on 2022-01-20T20:05:03.372684
20
permissions
15
activities
13
services
11
receivers
19
domains
File sums
| MD5 | c818b35d9036c723e79466205d9b3e53 | |
| SHA1 | eb3de98f4934a4c98308c35486363a1e1a9a5668 | |
| SHA256 | 978ad2b051276ca5a080e3997883626da50dacc4da88a6e831fd67f363adee92 | |
| Size | 12.73MB |
APKiD
Information computed with APKiD.
| /tmp/tmpe9_6urfp!classes.dex | |
| anti_vm |
|
| anti_debug |
|
| compiler |
|
SSdeep
Information computed with ssdeep.
| APK file | 393216:JFSv4/gKSPpkQilw9XdD1My3OfkDahWHimY7L:JkvIxSP6wd6y396pH | |
| Manifest | 384:PQFztk4RxcKE6X1SbAoT8ztoOegEJ3y/GAavEg1gJ/KVQcCrAX5Y7l+TtrTFu0Ht:… | |
| classes.dex | 49152:jFBZtvnwVBpb801pnIpYJDLSZoHjCkVygMt2l+ZoDVZZko44Rb1eB5oG3ZHxsIt… |
Dexofuzzy
Information computed with Dexofuzzy.
| APK file | 6144:KXi4Q95CkxsG4oveYQqDt8lSuu4TuHAwel/loiqt:Qi4QtZcgti64Xwezois | |
| classes.dex | 6144:KXi4Q95CkxsG4oveYQqDt8lSuu4TuHAwel/loiqt:Qi4QtZcgti64Xwezois |
APK details
Information computed with AndroGuard and Pithus.
Certificate details
Information computed with AndroGuard.
Manifest analysis
Information computed with MobSF.
| High | Clear text traffic is Enabled For App[android:usesCleartextTraffic=true] The app intends to use cleartext network traffic, such as cleartext HTTP, FTP stacks, DownloadManager, and MediaPlayer. The default value for apps that target API level 27 or lower is "true". Apps that target API level 28 or higher default to "false". The key reason for avoiding cleartext traffic is the lack of confidentiality, authenticity, and protections against tampering; a network attacker can eavesdrop on transmitted data and also modify it without being detected. |
| High | Broadcast Receiver (com.mobilesoft.security.password.bg.MainReceiver) is not Protected.An intent-filter exists. A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported. |
| High | Activity (androidx.biometric.DeviceCredentialHandlerActivity) is not Protected. [android:exported=true] An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. |
| High | Launch Mode of Activity (com.google.firebase.auth.internal.FederatedSignInActivity) is not standard. An Activity should not be having the launch mode attribute set to "singleTask/singleInstance" as it becomes root Activity and it is possible for other applications to read the contents of the calling Intent. So it is required to use the "standard" launch mode attribute when sensitive information is included in an Intent. |
| High | Activity (com.google.firebase.auth.internal.FederatedSignInActivity) is Protected by a permission, but the protection level of the permission should be checked.Permission: com.google.firebase.auth.api.gms.permission.LAUNCH_FEDERATED_SIGN_IN [android:exported=true] An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission. |
| High | Service (com.google.android.gms.auth.api.signin.RevocationBoundService) is Protected by a permission, but the protection level of the permission should be checked.Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION [android:exported=true] A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission. |
| High | Service (androidx.work.impl.background.systemjob.SystemJobService) is Protected by a permission, but the protection level of the permission should be checked.Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission. |
| High | Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) is Protected by a permission, but the protection level of the permission should be checked.Permission: com.google.android.c2dm.permission.SEND [android:exported=true] A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission. |
Main Activity
Information computed with AndroGuard.
|
Activities
Information computed with AndroGuard.
|
Receivers
Information computed with AndroGuard.
|
Services
Information computed with AndroGuard.
|
Sample timeline
| Latest file found in APK | Oct. 12, 2020, 2:24 a.m. |
| Certificate valid not before | Oct. 12, 2020, 6:38 a.m. |
| First submission on VT | Oct. 29, 2021, 7:30 a.m. |
| Last submission on VT | Oct. 29, 2021, 7:30 a.m. |
| Upload on Pithus | Jan. 20, 2022, 8:05 p.m. |
| Certificate valid not after | Oct. 12, 2050, 6:38 a.m. |
VirusTotal
| Score | 17/63 |
| Report | https://www.virustotal.com/gui/file/978ad2b051276ca5a080e3997883626da50dacc4da88a6e831fd67f363adee92/detection |
Most Popular AV Detections
Provided by VirusTotal
| Threat name: abstractemu | Identified 5 times |
| Threat name: artemis | Identified 2 times |
NIAP analysis
Information computed with MobSF.
| FCS_RBG_EXT.1.1 | The application invoke platform-provided DRBG functionality for its cryptographic operations. Random Bit Generation Services |
| FCS_STO_EXT.1.1 | The application does not store any credentials to non-volatile memory. Storage of Credentials |
| FCS_CKM_EXT.1.1 | The application generate no asymmetric cryptographic keys. Cryptographic Key Generation Services |
| FDP_DEC_EXT.1.1 | The application has access to ['location', 'bluetooth', 'network connectivity']. Access to Platform Resources |
| FDP_DEC_EXT.1.2 | The application has access to ['address book']. Access to Platform Resources |
| FDP_NET_EXT.1.1 | The application has user/application initiated network communications. Network Communications |
| FDP_DAR_EXT.1.1 | The application implement functionality to encrypt sensitive data in non-volatile memory. Encryption Of Sensitive Application Data |
| FMT_MEC_EXT.1.1 | The application invoke the mechanisms recommended by the platform vendor for storing and setting configuration options. Supported Configuration Mechanism |
| FTP_DIT_EXT.1.1 | The application does encrypt some transmitted data with HTTPS/TLS/SSH between itself and another trusted IT product. Protection of Data in Transit |
| FCS_RBG_EXT.2.1 FCS_RBG_EXT.2.2 |
The application perform all deterministic random bit generation (DRBG) services in accordance with NIST Special Publication 800-90A using Hash_DRBG. The deterministic RBG is seeded by an entropy source that accumulates entropy from a platform-based DRBG and a software-based noise source, with a minimum of 256 bits of entropy at least equal to the greatest security strength (according to NIST SP 800-57) of the keys and hashes that it will generate. Random Bit Generation from Application |
| FCS_COP.1.1(2) | The application perform cryptographic hashing services not in accordance with FCS_COP.1.1(2) and uses the cryptographic algorithm RC2/RC4/MD4/MD5. Cryptographic Operation - Hashing |
| FCS_HTTPS_EXT.1.1 | The application implement the HTTPS protocol that complies with RFC 2818. HTTPS Protocol |
| FCS_HTTPS_EXT.1.2 | The application implement HTTPS using TLS. HTTPS Protocol |
| FCS_HTTPS_EXT.1.3 | The application notify the user and not establish the connection or request application authorization to establish the connection if the peer certificate is deemed invalid. HTTPS Protocol |
| FIA_X509_EXT.2.1 | The application use X.509v3 certificates as defined by RFC 5280 to support authentication for HTTPS , TLS. X.509 Certificate Authentication |
| FPT_TUD_EXT.2.1 | The application shall be distributed using the format of the platform-supported package manager. Integrity for Installation and Update |
Code analysis
Information computed with MobSF.
Map computed by Pithus.
Domains analysis
Information computed with MobSF.
URL analysis
Information computed with MobSF.
|
https://github.com/grpc/grpc-java/issues/5015 Defined in d/a/j1/m1.java |
|
|
https://play.google.com/store/apps/details?id=%s&%s=%s&%s=%s https://allpasswords.page.link Defined in com/mobilesoft/security/password/activity/UpgradeActivity.java |
|
|
https://play.google.com/store/apps/details?id=%s&%s=%s&%s=%s https://allpasswords.page.link Defined in com/mobilesoft/security/password/activity/UpgradeActivity.java |
|
|
https://all-passwords.flycricket.io/privacy.html Defined in com/mobilesoft/security/password/activity/PrivacyActivity.java |
|
|
http://play.google.com/store/apps/details?id= https://play.google.com/store/apps/details?id= Defined in b/f/b/a/j/b.java |
|
|
http://play.google.com/store/apps/details?id= https://play.google.com/store/apps/details?id= Defined in b/f/b/a/j/b.java |
|
|
https://update.crashlytics.com/spi/v1/platforms/android/apps https://update.crashlytics.com/spi/v1/platforms/android/apps/%s https://reports.crashlytics.com/spi/v1/platforms/android/apps/%s/reports https://reports.crashlytics.com/sdk-api/v1/platforms/android/apps/%s/minidumps Defined in b/e/c/o/e/s/h.java |
|
|
https://update.crashlytics.com/spi/v1/platforms/android/apps https://update.crashlytics.com/spi/v1/platforms/android/apps/%s https://reports.crashlytics.com/spi/v1/platforms/android/apps/%s/reports https://reports.crashlytics.com/sdk-api/v1/platforms/android/apps/%s/minidumps Defined in b/e/c/o/e/s/h.java |
|
|
https://update.crashlytics.com/spi/v1/platforms/android/apps https://update.crashlytics.com/spi/v1/platforms/android/apps/%s https://reports.crashlytics.com/spi/v1/platforms/android/apps/%s/reports https://reports.crashlytics.com/sdk-api/v1/platforms/android/apps/%s/minidumps Defined in b/e/c/o/e/s/h.java |
|
|
https://update.crashlytics.com/spi/v1/platforms/android/apps https://update.crashlytics.com/spi/v1/platforms/android/apps/%s https://reports.crashlytics.com/spi/v1/platforms/android/apps/%s/reports https://reports.crashlytics.com/sdk-api/v1/platforms/android/apps/%s/minidumps Defined in b/e/c/o/e/s/h.java |
|
|
https://firebase.google.com/support/privacy/init-options. Defined in b/e/c/y/f.java |
|
|
https://bit.ly/2XFpdma Defined in b/e/c/u/m0/b.java |
|
|
https://app-measurement.com/a Defined in b/e/a/b/g/i/y9.java |
|
|
https://plus.google.com/ Defined in b/e/a/b/d/o/j0.java |
|
|
https://accounts.google.com/o/oauth2/revoke?token= Defined in b/e/a/b/b/a/d/c/e.java |
|
|
https://firebase.google.com/support/guides/disable-analytics Defined in b/e/a/b/h/b/t3.java |
|
|
https://google.com/search? Defined in b/e/a/b/h/b/j7.java |
|
|
www.google.com https://www.google.com https://www.googleadservices.com/pagead/conversion/app/deeplink?id_type=adid&sdk_version=%s&rdid=%s&bundleid=%s&retry=%s https://goo.gl/NAOOOI. https://goo.gl/NAOOOI Defined in b/e/a/b/h/b/z9.java |
|
|
www.google.com https://www.google.com https://www.googleadservices.com/pagead/conversion/app/deeplink?id_type=adid&sdk_version=%s&rdid=%s&bundleid=%s&retry=%s https://goo.gl/NAOOOI. https://goo.gl/NAOOOI Defined in b/e/a/b/h/b/z9.java |
|
|
www.google.com https://www.google.com https://www.googleadservices.com/pagead/conversion/app/deeplink?id_type=adid&sdk_version=%s&rdid=%s&bundleid=%s&retry=%s https://goo.gl/NAOOOI. https://goo.gl/NAOOOI Defined in b/e/a/b/h/b/z9.java |
|
|
www.google.com https://www.google.com https://www.googleadservices.com/pagead/conversion/app/deeplink?id_type=adid&sdk_version=%s&rdid=%s&bundleid=%s&retry=%s https://goo.gl/NAOOOI. https://goo.gl/NAOOOI Defined in b/e/a/b/h/b/z9.java |
|
|
https://app-measurement.com/a Defined in b/e/a/b/h/b/t.java |
|
|
https://pagead2.googlesyndication.com/pagead/gen_204?id=gmob-apps Defined in b/e/a/b/a/a/b.java |
|
|
http://schemas.android.com/apk/res/android Defined in a/b/k/p.java |
|
|
https://all-passwords.firebaseio.com https://www.zetetic.net/sqlcipher/ https://www.zetetic.net/sqlcipher/license/ https://github.com/sqlcipher/android-database-sqlcipher Defined in Android String Resource |
|
|
https://all-passwords.firebaseio.com https://www.zetetic.net/sqlcipher/ https://www.zetetic.net/sqlcipher/license/ https://github.com/sqlcipher/android-database-sqlcipher Defined in Android String Resource |
|
|
https://all-passwords.firebaseio.com https://www.zetetic.net/sqlcipher/ https://www.zetetic.net/sqlcipher/license/ https://github.com/sqlcipher/android-database-sqlcipher Defined in Android String Resource |
|
|
https://all-passwords.firebaseio.com https://www.zetetic.net/sqlcipher/ https://www.zetetic.net/sqlcipher/license/ https://github.com/sqlcipher/android-database-sqlcipher Defined in Android String Resource |
Permissions analysis
Information computed with MobSF.
Tracking analysis
Information computed with Exodus-core.
| Google CrashLytics | https://reports.exodus-privacy.eu.org/fr/trackers/27 |
| Google Firebase Analytics | https://reports.exodus-privacy.eu.org/fr/trackers/49 |
Threat analysis
Information computed with Quark-Engine.
| Confidence:
|
Check if the network is connected |
| Confidence:
|
Get location of the current GSM and put it into JSON |
| Confidence:
|
Load external class |
| Confidence:
|
Create a socket connection to the given host address |
| Confidence:
|
Implicit intent(view a web page, make a phone call, etc.) |
| Confidence:
|
Get absolute path of file and put it to JSON object |
| Confidence:
|
Find a method from given class name, usually for reflection |
| Confidence:
|
Check the active network type |
| Confidence:
|
Method reflection |
| Confidence:
|
Get the network operator name |
| Confidence:
|
Connect to a URL and read data from it |
| Confidence:
|
Monitor data identified by a given content URI changes(SMS, MMS, etc.) |
| Confidence:
|
Create a secure socket connection to the given host address |
| Confidence:
|
Load class from given class name |
| Confidence:
|
Retrieve data from broadcast |
| Confidence:
|
Read sensitive data(SMS, CALLLOG, etc) |
| Confidence:
|
Implicit intent(view a web page, make a phone call, etc.) via setData |
| Confidence:
|
Query user account information |
| Confidence:
|
Connect to a URL and get the response code |
| Confidence:
|
Send notification |
| Confidence:
|
Monitor the broadcast action events (BOOT_COMPLETED) |
| Confidence:
|
Get absolute path of the file and store in string |
| Confidence:
|
Check the current active network type |
| Confidence:
|
Create a socket connection to the proxy address |
| Confidence:
|
Check the network capabilities |
| Confidence:
|
Get last known location of the device |
| Confidence:
|
Get calendar information |
| Confidence:
|
Get the current WIFI information |
| Confidence:
|
Get location of the device |
| Confidence:
|
Query the IMEI number |
| Confidence:
|
Create a secure socket connection to the proxy address |
| Confidence:
|
Method reflection |
| Confidence:
|
Hide the current app's icon |
| Confidence:
|
Get location of the current GSM and put it into JSON |
| Confidence:
|
Connect to the remote server through the given URL |
| Confidence:
|
Query WiFi information and WiFi Mac Address |
| Confidence:
|
Query data from URI (SMS, CALLLOGS) |
| Confidence:
|
Check if the device is in data roaming mode |
| Confidence:
|
Read file into a stream and put it into a JSON object |
| Confidence:
|
Query the phone number |
| Confidence:
|
Get the time of current location |
| Confidence:
|
Initialize class object dynamically |
| Confidence:
|
Read the input stream from given URL |
| Confidence:
|
Get the current WiFi MAC address |
| Confidence:
|
Connect to a URL and set request method |
| Confidence:
|
Get specific method from other Dex files |
| Confidence:
|
Get location info of the device and put it to JSON object |
| Confidence:
|
Connect to a URL and receive input stream from the server |
| Confidence:
|
Read file and put it into a stream |
| Confidence:
|
Return dynamic information about the current Wi-Fi connection |
| Confidence:
|
Read file from assets directory |
| Confidence:
|
Query the network operator name |
| Confidence:
|
Get the current WiFi information and put it into JSON |
| Confidence:
|
Get the current WiFi MAC address and put it into JSON |
| Confidence:
|
Get location and put it into JSON |
| Confidence:
|
Get filename and put it to JSON object |
| Confidence:
|
Get resource file from res/raw directory |
Behavior analysis
Information computed with MobSF.
Control flow graphs analysis
Information computed by Pithus.
The application probably loads JS-capable web views
The application probably dynamically loads code
- d/a/k1/i
- b/e/a/b/i/a
- b/e/a/b/d/t/a
- b/e/a/b/h/b/z9
- com/google/android/gms/dynamite/DynamiteModule
- com/google/android/gms/dynamite/DynamiteModule
- com/google/android/gms/dynamite/DynamiteModule
- com/google/android/gms/dynamite/DynamiteModule
- com/google/android/gms/dynamite/DynamiteModule
- d/a/k1/p/i
- b/e/c/w/t0$a
The application probably gets different information regarding the telephony capabilities
The application probably determines the location based on cell towers
The application probably gets the phone number associated to the SIM card
The application probably scans the Wi-Fi network
The application probably gets the Wi-Fi connection information
The application probably gets the network connections information
The application probably gets network interfaces addresses (IP and/or MAC)
The application probably uses reflection
The application probably uses the phone sensors
The application probably plays sound
The application probably reads the Android serial number
The application probably sends data over HTTP/S
The application probably starts another application
The application probably gets memory and CPU information
The application probably creates an accessibility service
The application probably listens accessibility events
- a/b/k/p$j
- a/i/n/q
- a/b/q/e0
- b/e/a/c/r/a
- androidx/drawerlayout/widget/DrawerLayout$b
- a/b/q/f
- a/b/q/n0$d
- androidx/appcompat/widget/ActionBarContextView
- androidx/core/widget/NestedScrollView$a
- androidx/appcompat/widget/SwitchCompat
- a/k/b/a
- com/google/android/material/button/MaterialButton
- androidx/recyclerview/widget/RecyclerView
- a/i/n/q
- androidx/recyclerview/widget/RecyclerView
- a/i/n/q
- a/k/b/a
- androidx/drawerlayout/widget/DrawerLayout$b
- androidx/appcompat/widget/SwitchCompat
- androidx/core/widget/NestedScrollView$a
- a/k/b/a
- androidx/recyclerview/widget/RecyclerView$n
- androidx/recyclerview/widget/RecyclerView$n
- a/k/b/a
- androidx/appcompat/widget/ActionBarContextView
- a/k/b/a
- a/k/b/a
- a/k/b/a
- b/e/a/c/r/a
- com/google/android/material/internal/CheckableImageButton$a